How to manage Network Security Groups (NSG) in Azure

Share this:

Microsoft Azure allows the administrator to control the traffic in subnets using the Network Security Group (NSG) feature. In this Tutorial we are going over the basics and we will be creating, associating and adding rules to the NSG component.


For any new VM created in a subnet we will have by default these following network rules:

  • Traffic among subnets is allowed (no restrictions)
  • The VM will have RDP (using a random port) and PowerShell as shown in the image below
  • All VMs can access the Internet


A NSG can be applied to a subnet, or even a VM, however for this Tutorial we are going to apply to a subnet. Let’s use the following network scenario in our Tutorial were we have a subnet called AP-DMZ and we are going to deploy a few ADFS Proxy servers on that subnet.


You may be wondering, what is the difference between endpoint ACLs and NSGs, so the answer is simple the endpoint ACLs are applied only to the inbound traffic using the Public IP. Using NSG we can control inbound and outbound traffic.

How to create a NSG…

The first step is to connect to Windows Azure using PowerShell, if you don’t remember how to do this, please check this Tutorial out:

All NSG management is done through Powershell at this point, so from now on all the configuration will be done using PoweShell.

In order to create a NSG we just need to specify a name, datacenter location, and a label. The following cmdlet can be used:

New-AzureNetworkSecurityGroup –Name <nome-do-NSG> –Location <Local-do-Azure-Datacenter> –Label “ADFS Proxy DMZ NSG”


Associating a subnet…

In order to list all NSGs, we can run Get-AzureNetworkSecurityGroup and we can use piple “|” to associate the NSG to a specific subnet.

In the example below we are associating our subnet AP-DMZ to the new NSG that we have just created:

Get-AzureNetworkSecurityGroup –Name <NSG-Nome> | Set-AzureNetworkSecurityGroupToSubnet –VirtualNetworkName <Azure-NetworkName> –SubnetName <Subnet-Nome>


After associating a default NSG to a subnet all the existent endpoint will not work anymore, if you need to enable RDP or PowerShell they must be enabled at the NSG level using rules.

Creating a NSG rule…

Every NSG rule has a priority and they are applied from lower numbers to higher numbers. A rule is formed of several items (9 in total), such as: name, type, priority, souce ip address, source port range, destination ip range, destination port range, protocol, and access.

Using the following cmdlet we will allow 443 incoming traffic in our NSG:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-Internet-HTTPS -Type Inbound –Priority 100 –Action Allow –SourceAddressPrefix “INTERNET” –SourcePortRange * -DestinationAddressPrefix “” –DestinationPortRange 443 –Protocol TCP

Another example is listed below, in this one we are allowing RDP traffic from Windows Azure/On-premises network to our AP-DMZ subnet:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-LAN-RDP-Type Inbound –Priority 120 –Action Allow –SourceAddressPrefix “VIRTUAL_NETWORK” –SourcePortRange * -DestinationAddressPrefix “” –DestinationPortRange 3389 –Protocol TCP

How to check the existent rules…

After creating all your rules you may have to maintain and document them. Using the following cmdlet we will have in a single glance all the rules in place for either inbound or outbound traffic.

Get-AzureNetworkSecurityGroup -Name “AZNA-NSG-DMZ” –Detailed


NSGs are a great resource to create DMZ and protect subnets in general when using Microsoft Azure.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Related Post

Creating a new Azure Active Directory instance It seems a simple thing, but when you need to create an additional directory for testing/dev purposes, you may ask yourself how to create. In this Tut...
Restoring cloud services during an outage of the A... The Federation Server role is crucial when integrating on-premises with the Microsoft Cloud and in this article we are going to demonstrate how an out...
How to modify the DNS Server settings in Microsoft... If you are planning to deploy Domain Controllers in Microsoft Azure, the first step will be the DNS Server configuration pointing out to the local Dom...
Managing the Password Synchronization in DirSync In this Tutorial we will check how to manage the Password Synchronization feature in the Windows Azure Active Directory Synchronization Tool. Solution...